CVE-2020-7471

Advisory

Django 1.11.28, 2.2.10 and 3.0.3 include a fix for CVE-2020-7471: SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

==========================

*February 3, 2020*

Django 3.0.3 fixes a security issue and several bugs in 3.0.2.

CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
===================================================================

:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
subject to SQL injection, using a suitably crafted ``delimiter``.

Bugfixes
========

* Fixed a regression in Django 3.0 that caused a crash when subtracting
``DateField``, ``DateTimeField``, or ``TimeField`` from a ``Subquery()``
annotation (:ticket:`31133`).

* Fixed a regression in Django 3.0 where ``QuerySet.values()`` and
``values_list()`` crashed if a queryset contained an aggregation and
``Exists()`` annotation (:ticket:`31136`).

* Relaxed the system check added in Django 3.0 to reallow use of a sublanguage
in the :setting:`LANGUAGE_CODE` setting, when a base language is available in
Django but the sublanguage is not (:ticket:`31141`).

* Added support for using enumeration types ``TextChoices``,
``IntegerChoices``, and ``Choices`` in templates (:ticket:`31154`).

* Fixed a system check to ensure the ``max_length`` attribute fits the longest
choice, when a named group contains only non-string values (:ticket:`31155`).

* Fixed a regression in Django 2.2 that caused a crash of
:class:`~django.contrib.postgres.aggregates.ArrayAgg` and
:class:`~django.contrib.postgres.aggregates.StringAgg` with ``filter``
argument when used in a ``Subquery`` (:ticket:`31097`).

* Fixed a regression in Django 2.2.7 that caused
:meth:`~django.db.models.Model.get_FOO_display` to work incorrectly when
overriding inherited choices (:ticket:`31124`).

* Fixed a regression in Django 3.0 that caused a crash of
``QuerySet.prefetch_related()`` for ``GenericForeignKey`` with a custom
``ContentType`` foreign key (:ticket:`31190`).


==========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471
• https://www.openwall.com/lists/oss-security/2020/02/03/1
• https://docs.djangoproject.com/en/3.0/releases/security/
• https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI
• https://www.djangoproject.com/weblog/2020/feb/03/security-releases/
• http://www.openwall.com/lists/oss-security/2020/02/03/1
• https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136
• https://usn.ubuntu.com/4264-1/
• https://seclists.org/bugtraq/2020/Feb/30
• https://www.debian.org/security/2020/dsa-4629
• https://security.netapp.com/advisory/ntap-20200221-0006/
• https://security.gentoo.org/glsa/202004-17
• https://lists.fedoraproject.org/archives/list/[email protected]/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/